Learn about Centmin Mod LEMP Stack today
Become a Member

OpenSSL [PATCH]30-40% ECDSA performance improvement - OpenSSL 1.1

Discussion in 'CentOS, Redhat & Oracle Linux News' started by buik, Jan 2, 2018.

  1. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    6:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    cheers @bassie patch worked
    Code (Text):
    cat /root/centminlogs/patch_opensslpatches_150818-012328.log
    
    ######################################################################
    Patching OpenSSL 1.1.0i
    ######################################################################
    30-40% performance improvement patch for ECDSA
    https://community.centminmod.com/posts/57725/
    ######################################################################
    /svr-setup/openssl-1.1.0i /svr-setup/openssl-1.1.0i
    patch -p1 < /usr/local/src/centminmod/patches/openssl/OpenSSL1.1i-improve-ECDSA-sign-30-40.patch
    patching file ECDSA-PATCH-CHANGELOG
    patching file crypto/ec/asm/ecp_nistz256-armv8.pl
    patching file crypto/ec/asm/ecp_nistz256-x86_64.pl
    patching file crypto/ec/ec_err.c
    patching file crypto/ec/ec_lcl.h
    Hunk #2 succeeded at 553 (offset 16 lines).
    Hunk #3 succeeded at 629 (offset 16 lines).
    patching file crypto/ec/ec_lib.c
    Hunk #1 succeeded at 257 (offset 1 line).
    Hunk #2 succeeded at 964 (offset 5 lines).
    Hunk #3 succeeded at 1009 (offset 5 lines).
    patching file crypto/ec/ecdsa_ossl.c
    Hunk #1 succeeded at 144 with fuzz 2 (offset -9 lines).
    patching file crypto/ec/ecp_nistz256.c
    Hunk #3 succeeded at 1488 (offset -16 lines).
    Hunk #4 succeeded at 1720 (offset -16 lines).
    patching file crypto/perlasm/x86_64-xlate.pl
    patching file include/openssl/ec.h
    /svr-setup/openssl-1.1.0i
    

    benchmarks before and after patching
    Code (Text):
    /opt/openssl/bin/openssl version -a
    OpenSSL 1.1.0i  14 Aug 2018
    built on: reproducible build, date unspecified
    platform: linux-x86_64
    options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
    OPENSSLDIR: "/opt/openssl"
    ENGINESDIR: "/opt/openssl/lib/engines-1.1"
    


    On Intel Xeon E3-1270v1 4CT/8T dedicated server with 16GB RAM and 240GB SSD

    before patching OpenSSL 1.1.0i


    Code (Text):
    /opt/openssl/bin/openssl speed -multi 8 rsa2048 ecdsap256
    
    OpenSSL 1.1.0i  14 Aug 2018
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.000270s 0.000008s   3710.0 127752.2
                                  sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s  86956.5  34483.7
    


    after patching OpenSSL 1.1.0i


    Code (Text):
    /opt/openssl/bin/openssl speed -multi 8 rsa2048 ecdsap256
    
    OpenSSL 1.1.0i  14 Aug 2018
    built on: reproducible build, date unspecified
    options:bn(64,64) rc4(16x,int) des(int) aes(partial) idea(int) blowfish(ptr)
    compiler: ccache gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/opt/openssl\"" -DENGINESDIR="\"/opt/openssl/lib/engines-1.1\""  -Wa,--noexecstack
                      sign    verify    sign/s verify/s
    rsa 2048 bits 0.000270s 0.000008s   3696.9 128008.2
                                  sign    verify    sign/s verify/s
     256 bit ecdsa (nistp256)   0.0000s   0.0000s 121212.1  37736.7
    

    ECDSA performance patch has +39.39% faster ECDSA signs/s and +9.43% faster ECDSA verify/s :). Of course newer cpus will have better ECDSA performance but patch boost is nice :)
    OpenSSL 1.1.0i before vs after ECDSA Performance Patch rsa 2048 signs/s rsa 2048 verify/s ecdsa 256bit signs/s ecdsa 256bit verify/s
    OpenSSL 1.1.0i before ECDSA patch 3710.0 127752.2 86956.5 34483.7
    OpenSSL 1.1.0i after ECDSA patch 3696.9 128008.2 121212.1 37736.7


     
  2. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:13 AM
    Nice to hear that the up-to-date patch is working as it should be:)
     
  3. rdan

    rdan Well-Known Member

    5,443
    1,402
    113
    May 25, 2014
    Ratings:
    +2,194
    Local Time:
    4:13 PM
    Mainline
    10.2
    :( Sad for us using your patch for openssl 1.1.0.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    6:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  5. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:13 AM
    No problem. There is always someone to test the code with test sites for example @eva2000
     
  6. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:13 AM
  7. eva2000

    eva2000 Administrator Staff Member

    54,110
    12,179
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,739
    Local Time:
    6:13 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  8. buik

    buik “The best traveler is one without a camera.”

    2,026
    524
    113
    Apr 29, 2016
    Flanders
    Ratings:
    +1,674
    Local Time:
    9:13 AM
    Ok gonna update the patch with the upscaled OpenSSL 1.1.0i version number.
    Then it is clearer for visitors that it is compatible with the latest OpenSSL 1.1.0i.